Re: iptables and -s, -i paramters combined
From: Adaptrx (adaptr@adaptr.xs4all.nl)Date: 01/31/02
- Next message: Michael Erskine: "Re: LINUX PROS ONLY-UID Question"
- Previous message: Andrew: "interrupt rc.sysinit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Adaptrx" <adaptr@adaptr.xs4all.nl> Date: Thu, 31 Jan 2002 23:12:55 +0100
"Jeff C" <jeffc@sympatico.ca> wrote in message
news:3C560F7E.8712EADF@sympatico.ca...
>
> I have a line in my iptables script;
>
> iptables -A protect -m state --state NEW -i eth0 -j ACCEPT
>
> I was thinking, to add more security to this line I could add the source
> address. Since my internal network on eth0 is all private address from
> one group I could add the -s like this;
>
> iptables -A protect -m state --state NEW -i eth0 -s 192.168.1.0/24 -j
> ACCEPT
>
> This should make sure only packets from eth0 (internal LAN) with source
> address's 192.168.1.x are allowed out.
>
> I couldn't find anything in the iptables how to or man pages saying you
> could use both the -i and -s parameters. It seems to work. Does anyone
> know about this? Or is the extra -s an unnecessary addition?
Unnecessary... that depends
Of course, only two (2) types of packets go into your own LAN interface :
1.) bad packets, i.e. errors, and
2.) spoofed packets, with a fraudulent IP address, BUT these can only come
from a machine on your own LAN, and only win NT can do that...
- Next message: Michael Erskine: "Re: LINUX PROS ONLY-UID Question"
- Previous message: Andrew: "interrupt rc.sysinit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
